This detection rule aims to identify instances where the Winget command-line tool is used to install applications from a local manifest file on Windows systems. The use of Winget, a package manager for Windows, provides attackers the means to download and execute potentially malicious payloads by leveraging the manifest option. Manifest files, structured in YAML, allow users to specify installation parameters and package details directly. Consequently, this poses a risk if Winget is misused, emphasizing the importance of monitoring its usage for signs of unauthorized activity. The rule triggers on processes that involve 'winget.exe' with specific command-line arguments associated with installation and manifest utilization, helping organizations to preemptively mitigate threats while differentiating between benign and malicious behavior under controlled IT conditions.